HIPAA POLICY AND PROCEDURES
HIPAA POLICY AND PROCEDURES
The Health Insurance Portability and Accountability Act of 1996 requires that all affected entities create a plain language policy concerning the use and access of Personal Health Information (PHI). Georgia Highlands College, in its responsibility as a covered entity concerning employee personal health information will:
1.Neither use nor disclose Personal Health Information except as allowed by normal college business function and current law.
2.Not use PHI for employment related or non-plan purposes without specific employee authorization.
3.Will provide employees with access to their own PHI with prior notification and consent.
4.Report all unacknowledged and unauthorized uses of PHI.
5.Return or destroy all PHI by shredding, if applicable, when it is no longer needed or used for normal Georgia Highlands College functions.
6.Transmit and receive PHI from a secure location.
The Director of Human Resources will be designated as the Privacy Officer concerning PHI. Documented privacy related communication, actions, decisions; activities, as well as signed authorization, must be retained for a period of six (6) years.
The employee workforce of Georgia Highlands College must be trained annually concerning HIPAA and their rights concerning PHI. This training must be documented, either electronically or written, and kept on file. New employees must undergo training concerning HIPAA within 30 days of employment.
Before any PHI is distributed electronically to outside vendors or other covered entities, the affected employee must sign and complete a Georgia Highlands College authorization form. Only the Privacy Officer or designate will use the authorization form for its specific purpose.
Reasonable request for copies or viewing of PHI by the employee may be granted by the Privacy Officer or designate. Reasonable request for PHI by immediate family members may be granted with prior written notification and acknowledgement by the Georgia Highlands College Privacy Officer or designate.
Personal Health Information concerning Workers Compensation may be disclosed to the extent necessary for complying with state laws concerning injuries or illnesses without regard to fault or prior authorization.
Personal Health information affected under this policy will be stored in the employee file. This information is under limited access in the Human Resources department and only authorized employees are allowed access to this area.
Requests for PHI by other parties must be in writing and with prior authorization from the affected employee. Personal Health Information gathered from outside vendors will be received via secure fax in the HR department.
Failure to comply with the standards and procedures in this policy and other Privacy Rule regulations may lead to disciplinary action up to and including termination.
This policy may be amended, updated or revised at the request of the Privacy Office upon approval of the Presidents Cabinet.